Abstract: Certain aspects of the present disclosure generally relate to wireless communications and, more particularly, to protecting control frames with power-related subfields. One example apparatus for wireless communications generally includes a processing system configured to generate a control frame comprising one or more power-related subfields and an integrity check value calculated based, at least in part, on the one or more power-related subfields and a transmitter configured to transmit the control frame. In aspects, a power management (PM) subfield, an end-of-service-period (EOSP) subfield, a more data (MD) subfield, or a traffic identifier (TID) subfield can be added to a group of additional authentication data (AAD) and the integrity check value is calculated based on the group of AAD.

Abstract: A wireless communication device can include a processor to operate multiple virtual network interfaces that communicate simultaneously over a common wireless physical interface with different wireless networks. A first virtual network interface can be an infrastructure virtual interface to communicate over a first infrastructure network, and a second virtual network interfaces can be an ad-hoc interface to communicate over a second ad-hoc network. Another virtual network interfaces can be a Station (STA) infrastructure interface to communicate with an Access Point (AP) over a first infrastructure wireless network, and another virtual network interface can be a AP infrastructure interface to communicate with a STA over a second infrastructure wireless network. Another virtual network interface can be a Wireless Distribution System (WDS) interface to allow the AP infrastructure interface to communicate with another Access Point.

Abstract: In a computing device, when a user requests to carry out an operation, the device determines the type of operation requested and the time period since the user was last authenticated. The operation is enabled only if the determined time period does not exceed a threshold for the requested operation.

Abstract: A method for managing an electronic mail. A command list of a communication electronic mail transmission protocol is partitioned into command sub-lists using recursive parameters appearing in the command list prior to the partitioning of the command list. Each recursive parameter is a command that is repeated in respective command sub-lists as a result of the partitioning. Each command sub-list includes at least one command pertaining to a receiver or sender of the electronic mail. Each command sub-list is individually selectable for subsequent use of the at least one command in a subsequently selected command sub-list in implementing the electronic mail. A selection of at least one of the command sub-lists viewable in a user interface is received. Each command of the at least one command specifies a respective aspect of how to implement the electronic mail in a subsequent implementation of the electronic mail.

Abstract: A system including a domain controller and a document, policy, and collaboration servers. The document server receives a request signal based on an input received at a web browser of a user device and generates an authentication signal. The request signal requests access to a document. The document server provides a cloud-based service for access to the document. The domain controller, based on the authentication signal, determines a profile or authorization level of a user. The document server, based on the profile or the authorization level, transmits a second authentication signal to the user device. The policy server stores a digital rights management policy for the user. The collaboration server: based on the second authentication signal, receives a digital rights management signal from the user device; and based on the digital rights management policy of the user, permits a controller of the user device to access the document.

Abstract: The present disclosure relates to a method performed by a network element 2 in a communication network 1. The method comprises detecting a machine device (MD) 4 able to provide a first type of information to the network. The method also comprises receiving an information message comprising a token of a service 3 which is interested in receiving the first type of information. The method also comprises sending a request message to the MD comprising the token and a request for the MD to send the first type of information together with the token. The present disclosure also relates to a machine device as well as to the network element and a rendezvous point, and methods thereof, in the network.

Abstract: Methods and arrangements for providing classification for a business process hierarchy. Packaged application objects are received, comprising at least one of the standard application objects and custom objects. At least one of the standard application objects is mapped to at least one node of a business process hierarchy, thereby forming at least one mapping template. At least one of the standard application objects is mapped to at least one of the custom objects to create a first mapping, and at least one of the custom objects is mapped to at least one of the standard application objects to create a second mapping. The at least one mapping template, the first mapping and the second mapping are combined, to create a mapping of at least one of the custom objects to the business process hierarchy. Other variants and embodiments are broadly contemplated herein.

Abstract: Systems and methods for coordinating security operations among members of a cooperative security fabric (CSF) are provided. According to one embodiment, a first network security appliance of a CSF receives incoming network traffic and determines whether the network traffic has been transmitted from a second network security appliance based on a flag carried by one or more packets of the network traffic. If the incoming network traffic is from the second network security appliance, the first network security appliance determines network security operations that are executed by the second network security appliance and then determines local network security operations. The first network security appliance executes the local network security operations on the network traffic.

Abstract: A user device may request access to a service provided by an application server. The application server may request that an identity server authenticate the user device. The identity server may have a network authentication system assist with the authentication of the user device. Once authenticated by the network authentication system, the application server may be informed and may grant the user device access to the requested service. Additionally, the identity server may help determine whether the user device is a security threat by comparing user information from the network authentication system with user information from the application server. Additionally, the network authentication system may provide the application server with user information to enable the application server to automatically register the user device for a particular service.

Abstract: The present invention teaches new solutions based on an alternative approach to controlling client behavior in adaptive streaming applications, namely, server managed adaptive streaming. in this approach, the client makes requests for streaming content and provides extra information about its behaviors, and the server verifies the information to determine if the requests can be granted. This way, even if the client is not trusted, its behaviors can be properly and effectively controlled. Moreover, all of the solutions resulting from adopting this server managed adaptive streaming approach fit into the MPEG/3GPP standards of Dynamic Adaptive Streaming over HTTP (DASH).

Abstract: Information can be added to the headers of email messages to ensure the messages are delivered using encryption, without the user having to manage keys or perform the encryption. A user can select an option in an email program that causes a flag to be added to the message header. Each mail server along the delivery path can provide (or expose) information about the type(s) of encryption supported, and if the encryption is not sufficient then the message will not be delivered to that server. This ensures the transport will remain encrypted before delivering the message to the next hop along the path. If the message cannot be delivered encrypted then the message will not be transmitted past that point. An end user then only needs to click a button or perform another such action to ensure encrypted message delivery.

Abstract: A method in a User Equipment (UE) of an Evolved Packet System (EPS) establishes a security key (K_eNB) for protecting Radio Resource Control/User Plane (RRC/UP) traffic exchanged with a serving eNodeB. The method comprises sending a Non-Access Stratum (NAS) Service Request to a Mobility Management Entity (MME), the request indicating a NAS uplink sequence number (NAS_U_SEQ). The method further comprises receiving an indication of the NAS_U_SEQ of the NAS Service Request sent to the MME, back from the MME via the eNodeB. The method further comprises deriving the K_eNB from at least the received indication of the NAS_U_SEQ and from a stored Access Security Management Entity-key (K_ASME) shared with said MME.

Abstract: Systems and methods, implemented by one or more nodes in a cloud-based security system, for enforcing application-based control of network resources include receiving a request from a user device for the network resources; evaluating the request through the cloud-based security system and determining an application on the user device performing the request; and performing one of (1) denying the request if the application is unauthorized to access the network resources, (2) redirecting the request to an authorized application on the user device if the application is legitimate but unauthorized to access the network resources, and (3) allowing the request if the application is authorized to access the network resources.

Abstract: A system which generates composite passwords which can act to trigger a designated event; said system comprising a database having stored thereon at least first and second hints associated with at least respective first and second passwords, all of which are associated with a designated user; the system storing hints and passwords for multiple designated users and wherein each hint and password pair is generated by an association procedure whereby the password is uniquely derivable from the hint by the designated user with which that hint and password pair is associated; a composite password generated by the system presenting in a designated order of at least first and second hints to a designated user in response to which the designated user inputs respective first and second passwords to a local device thereby to assemble a composite password from the first and second passwords; the composite password then being stored on the local device.

Abstract: The present document describes systems and methods that provide pluggable cipher suites. In one embodiment, a client and a server perform a secure transport handshake that negotiates a set of supported cipher suites. The server determines if the cipher suites supported by the client are acceptable. When the server determines that the cipher suites supported by the client are not acceptable, the server provides a pluggable cipher suite to the client. The client runs the pluggable cipher suite in a sandboxed environment, and uses the pluggable cipher suite to add support for one or more additional cipher suites. In some implementations, the pluggable cipher suite is provided by a third-party server.

Abstract: A wireless connection pairing method and a first electronic device are provided. The method includes: broadcasting, through an audio system, an acoustic signal which carries pairing information for establishing wireless connection with a first electronic device; the first electronic device receiving from a second electronic device a request for establishing wireless connection with the first electronic device through a wireless network, where the request contains the pairing information extracted from the acoustic signal; and the first electronic device sending a notice of permission to the second electronic device. By employing the method, a mobile device can use connection service conveniently without inputting a password manually.

Abstract: Methods, systems, apparatuses, and devices are described for authenticating in a network. A mobile device may establish a group account with an authentication server associated with the group. Upon successfully completing group account establishment, the mobile device receives a group authentication token that includes information associated with the authentication server, the group, the mobile device, a group key, versioning information, etc. The mobile device may use the group authentication token to authenticate with another mobile device that is a member of the same group. The versioning information may support backwards-compatibility between the group authentication tokens having different versions.

Abstract: In embodiments of the present invention improved capabilities are described for securely viewing computer data content, such as documents, presentations, spreadsheets, emails, blog entries, texts, and the like, wherein a secure exchange server is controlled by an intermediate business entity, and access to retention restricted computer data content is granted to a user of a second business entity when the secure exchange server receives appropriate login authentication data, wherein the retention restricted computer data content is accessible to the at least one user of the second business entity as limited by the content retention restriction, which is provided by a user of a third business entity.

Abstract: A method for detecting network intrusion, performed by a processor is provided. The method includes coupling a computing or communication device to a network device and determining a geolocation of the network device. The method includes comparing the geolocation of the network device to an expected value and determining whether to connect to a network based on the comparing. A computer readable media containing instructions and a device are also provided.

Abstract: An example electronic device includes memory for storing a program for unlocking the first electronic device using a wearable electronic device; wireless communication circuitry; and one or more processors configured to execute the program stored in the memory to cause the electronic device to at least establish wireless communication, via the wireless communication circuitry, with the wearable electronic device when the wearable electronic device is in a wireless communication range of the first electronic device; determine whether the wearable second electronic device is authenticated for unlocking the first electronic device; determine whether the wearable electronic device is in a specific range of the first electronic device based on a signal transmitted from the wearable electronic device being worn; and unlock the first electronic device based on determining that the wearable electronic device is authenticated and is in the specific range of the electronic device.

Abstract: An electronic device with a display detects an input in a user interface for a second application not associated with a server system. In response to detecting the first input, the device sends a first request from the second application to a first application associated with the server system. In response to the first request, the device sends a first command from the first application to the server system on behalf of the second application. The first command is a command for performance of a first operation at the server system. The first operation corresponds to the input detected by the device. The device receives a voucher, or an indication that a voucher has been created, at the second application pre-authorizing performance of a predefined second operation at the server system upon receipt, by the server system, of a second command from the second application.

Abstract: In one embodiment, a method includes initiating at a client application at a client device, a single sign-on authentication with a security device, receiving at the client application, a session identifier and location of a web portal for the single sign-on authentication from the security device, and passing the session identifier and location of the web portal from the client application to a browser installed at the client device, for use by the browser in performing the single sign-on authentication at the client device. An apparatus and logic are also disclosed herein.

Abstract: Technologies are generally described for providing an anonymous signature scheme. In some examples, a method performed under control of an end device ma 320 include receiving public parameters from a central system; generating an enciphering function based at least in part on the received public parameters; calculating parameters for a signature based at least in part on the generated enciphering function; and transmitting, to a verifying device, the signature that includes a message, a key of the end device and the calculated parameters for the signature.

Abstract: A user device may strengthen the protection level of a digital content by dividing the security and normal modes and performing an operation. In order to further strengthen the protection level of the digital content, the user device may determine whether the main operating system is hacked or not, and blocks the operation in the secure mode. Otherwise, the device authorization information indicating the device security level of the user device is authorized by the content service server, and the user device blocks the operation in the secure mode according to the result.

Abstract: An example electronic device includes memory for storing a program for unlocking the first electronic device using a wearable electronic device; wireless communication circuitry; and one or more processors configured to execute the program stored in the memory to cause the electronic device to at least establish wireless communication, via the wireless communication circuitry, with the wearable electronic device when the wearable electronic device is in a wireless communication range of the first electronic device; determine whether the wearable second electronic device is authenticated for unlocking the first electronic device; determine whether the wearable electronic device is in a specific range of the first electronic device based on a signal transmitted from the wearable electronic device being worn; and unlock the first electronic device based on determining that the wearable electronic device is authenticated and is in the specific range of the electronic device.

Abstract: Examples are disclosed for exchanging a key between an input/output device for network device and a first processing element operating on the network device. Data having a destination associated with the first processing element may be received by the input/output device. The exchanged key may be used to encrypt the received data. The encrypted data may then be sent to a buffer maintained at least in part in a memory for the network device. The memory may be arranged to enable sharing of the buffer with at least a second processing element operating on the network device. Examples are also disclosed for the processing element to receive an indication of the storing of the encrypted data in the buffer. The processing element may then obtain the encrypted data from the buffer and decrypt the data using the exchanged key.

Abstract: The invention relates to a method for providing an anonymized value for a data element stored with an original value in a database of a database system, wherein the method comprises the following steps: (i) producing a supplementary data element for the data element stored in the database; (ii) determining the anonymized value of the data element from the original value on the basis of a mapping rule for ascertaining anonymized values that is stored in the database system, and storing the anonymized value in the supplementary data element; and (iii) linking the supplementary data element to the data element such that, based on the reception of an access command relating to the data element from a user connected to the database system, the supplementary data element is read and the anonymized value contained therein is transmitted to the user.

Abstract: Disclosed are approaches for detecting attempts to circumvent security policies on a client device. A deletion of a user account on a computing device is detected, wherein the deletion is initiated locally on the computing device and the user account is associated with an enrollment of the computing device with a management service. Data stored in a memory of the computing device that is subject to a policy received from the management service is identified. The data is deleted from the memory of the computing device. The policy is then deleted from the memory of the computing device.

Abstract: This disclosure makes public a data flow forwarding method and device, and in this method, a second health state is acquired based on the first health state of one or more pieces of identifying information of the received data flow, wherein the first health state and second health state are associated with the access rights of the user and/or user device that sent the data flow; it employs firewall policy property sets to determine whether or not to forward the data flow, wherein the firewall policy property sets comprise: the second health state. The technical schemes based on this disclosure improve the ability of a firewall to identify network attacks or abnormal activities and reduce administration costs.

Abstract: Example methods and systems directed to an Alert Manager are described. According to various embodiments, the Alert Manager detects receipt of a message. The message includes a selectable functionality for accessing an external resource and message data indicative of a source of the message. The Alert Manager predicts when a recipient of the message will interact with the selectable functionality. Prior to the recipient's predicted interaction with the selectable functionality, the Alert Manager generates a message alert feature based on a degree of a difference between the external resource and the source of the message.

Abstract: Disclosed are an apparatus and method configured to perform media file encryption. One example method may include retrieving a media file stored in a memory during a play time operation, executing the media file and receiving additional portions of the media file during the play time operation. The method may also include processing the media file and the additional portions of the media file to generate an output media and displaying the output media on a display of a user device.

Abstract: A method includes receiving a request for registered payment options associated with a user computing device, where the request includes an identifier uniquely identifying one of the user computing device and the user. The method includes identifying one or more payment options associated with the device identifier, where each of the one or more payment options is associated with respective payment instrument information. The method includes providing one or more codes, where each code of the one or more codes identifies a respective payment option of the one or more payment options. The method includes receiving a first code of the one or more codes and transaction information. The method includes accessing, based upon the first code, payment instrument information associated with the payment option identified by the first code, and causing the processing of the payment instrument information in relation to a transaction identified by the transaction data.

Abstract: Cipher suites and/or other parameters for cryptographic protection of communications are dynamically selected to more closely match the intended uses of the sessions. A client indicates a planned use of a session to a server. The client's indication of the planned use may be explicit or implicit. The server selects an appropriate set of parameters for cryptographic protection of communications based at least in part on the indicated planned use and the client and server complete a handshake process to establish a cryptographically protected communications session to use the selected set of parameters.

Abstract: Methods for re-anchoring a transport layer session in a communication network are disclosed. For example, a method receives a request to re-anchor a transport layer session and sends a packet notifying of a transport layer session re-anchor to a peer. The packet includes a header with a session identifier field, and a record type field that indicates that a payload of the packet comprises transport layer session re-anchor information. The method receives a confirmation of the transport layer session re-anchor notification. Another method receives a packet comprising a notification of a transport layer session re-anchor from a peer. The method updates a session management table and transmits packets to the peer using an updated address received in the notification of the transport layer session re-anchor.

Abstract: The method to enroll a certificate to a device comprises the steps of providing a management application on a management device, the management application discovering a device that needs certificate enrollment, wherein the discovery information includes a public key of the device. The management application forwards the public key of the device to a certificate enrollment server, and the device requests a certificate enrollment at the certificate enrollment server by including the public key of the device at the certificate request for a secure certificate enrollment to the device.

Abstract: A distribution apparatus includes a reception part that receives first data and a request for execution of a process according to a process definition formed of one or more units of processing with respect to the first data, and one or more processing parts that execute the corresponding one or more units of processing. At least one processing part is a distribution part that distributes, to a distribution destination specified in the process definition, the first data or second data output as a result of execution of a unit of processing executed before a unit of processing corresponding to the at least one processing part. The distribution part distributes the first or second data based on information indicating a distribution method for the specified distribution destination defined in the process definition, when the specified distribution destination is included in multiple distribution destinations to which a communications protocol is common.

Abstract: A packet obfuscation method comprising receiving a data packet having a routing header portion and a payload portion, performing a first obfuscation on the routing header portion to generate an obfuscated routing header portion, performing a second obfuscation on at least the payload portion to generate an obfuscated payload portion, and combining the obfuscated routing header portion and the obfuscated payload portion to form an obfuscated packet. A packet forwarding method comprising obfuscating routing information using a packet obfuscation function, generating a plurality of forwarding rule entries in accordance with the obfuscated routing information, transmitting the plurality of forwarding rule entries to at least one network node in a network, transmitting the packet obfuscation function to at least one network node in the network, and transmitting a de-obfuscation function to at least one network node in the network.

Abstract: Technical solutions are described for authenticating a hosting system prior to securely deploying a shrouded virtual server. An example method includes receiving, by a hypervisor, a request for a public certificate, from a client device that requested the virtual server, and sending the public certificate of the hosting system that executes the hypervisor. The method also includes receiving, in response to the public certificate being successfully authenticated by the client device using a third-party verification system, a session key based on a public key included in the public certificate. The method also includes decrypting the session key using a private key, where the private key is pre-installed in the hosting system by a manufacturer of the hosting system, and sending an acknowledgement message encrypted using the session key. The method also includes establishing a secure communication between the client device and the hypervisor using the session key.

Abstract: Architecture that provides Internet Protocol security (IPsec) certificate exchange based on certificate attributes. An IPsec endpoint can validate the security context of another IPsec endpoint certificate by referencing certificate attributes. By facilitating IPsec certificate exchange using certificate attributes rather than solely certificate roots, it is now possible to build multiple isolated network zones using a single certificate authority rather than requiring one certificate authority per zone. Moreover, the ability to use certificate attributes during the IPsec certificate exchange can be leveraged for more focused communications such as QoS (quality of service). Certificate attributes can be utilized to identify the security context of the endpoint. The IPsec certificate use can be locked down to a single IP or group of IPs.

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Abstract: Systems and techniques for resilient network construction using enhanced privacy identification are described herein. A group certificate may be generated for a first device group. The first device group may include a plurality of devices having a shared attribute. A request may be received from a device of the plurality of devices for a data exchange session with a data partner device. The data partner device may be included in a second device group. The data exchange session may be enabled based on a set of permissions related to the group certificate. The set of permissions may define, at least in part, the accessibility of the second device group to the first device group.

Abstract: A method and apparatus for starting or stopping a device-to-device (D2D) operation in a wireless communication system is provided. A user equipment (UE) supporting proximity services (ProSe) receives system information which indicates starting or stopping a D2D operation from a network, and starts or stops the D2D operation according to the system information. The system information may include a D2D start/end time which indicates when the D2D operation is started or stopped.

Abstract: A method and an apparatus for executing applications in a highest-priority-first order in the processor divided into a secure mode area and a non-secure mode area are provided. The method includes receiving a request to be processed in the non-secure mode domain from the application, determining an access permission level configured to a resource used for processing the request, determining, when the access permission level allows for access from the secure mode domain, a priority of the application, changing the access permission level to allow for access by the non-secure mode domain according to the priority of the application, and processing the request of the application using the resource in the non-secure mode domain.

Abstract: An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: A client and a server negotiate a cipher suite as part of establishing a TLS connection. Cipher suites are rated with an associated level of security. In one example, the client and the server maintain a historical record that identifies the cipher suites used in previous TLS connections between the client and the server. The client and the server determine a minimally acceptable cipher suite rating based at least in part on the historical record of previously used cipher suites. If the negotiated cipher suite has a rating less than the determined minimally acceptable cipher suite rating, the TLS connection may be terminated, the cipher suite may be renegotiated, or other corrective action may be taken. In another example, the client and the server exchange digital certificates, and the digital certificates identify cipher suites for use with a TLS connection that are acceptable to the certificate owner.

Abstract: A method includes receiving data from a communication device at a processor of a proxy device, the data requesting a recording of media content. The method includes, sending a first command to a first media recording device and a second command to a second media recording device. The first command instructs the first media recording device to generate a first recording based on the media content, and the second command instructs the second media recording device to generate a second recording based on the media content. The first recording has a first file format and the second recording has a second file format. The second file format is compatible with a portable device.

Abstract: Establishing and controlling a tunnel for carrying a PDN connection between a first node and a second node. The first node sends a request to set up a tunnel, the request including a first identifier. The first node then receives a second identifier for use in identifying the tunnel when receiving data sent from the second node to the first node. Data packets are sent from the first node, the data packets including the first and/or second identifiers for identifying the tunnel from the first node to the second node. Data packets are received from the second node, the data packets including the second identifier from the second node to the first node.

Abstract: A blockchain configured system and a method for facilitating an expertise driven review and scoring of electronic documents in a crowdsourced environment. The system includes a server computer, a memory circuit and a processing circuit. The processing circuit is coupled to the memory circuit and includes or is coupled to a credentialing engine. The system further includes an expert scoring module. The system further includes a document reviewing and scoring engine coupled to the processing circuit. The document review and scoring module associates an aggregate score to the electronic document based on aggregation of the review ratings by crowdsourced experts and aggregate scores of each of the crowdsourced experts based on the set of attributes including one or more of the credentialed expertise, reputation of the expert, and the officiality.

Abstract: A method for accessing a device by a user connected to the device and to at least two servers in different networks includes collaboratively generating parts of an authentication ticket on the at least two servers, collaboratively generating parts of a user session key and encrypting a combined user session key, authenticating with the authentication ticket at a distributed ticket granting server by collaboratively decrypting user request information using the combined user session key and comparing its content with the authentication ticket, collaboratively generating an encrypted user-to-device ticket and an encrypted user-to-device session key, and accessing the device by the user using the encrypted user-to-device ticket and the user-to-device session key.

Abstract: Systems and methods may provide for determining a first key associated with a first group and determining a first resource exposure policy for the device with respect to the first group. Additionally, the first key may be used to send first operational and security context data to a first dynamic group verifier in accordance with the first resource exposure policy. In one example, a second key associated with a second group is determined, a second resource exposure policy is determined for the device with respect to the second group, a local context change is detected, and the second key is used to send, in response to the local context change, second operational data to a second dynamic group verifier in accordance with the second resource exposure policy.